Linux Cloud Threats: eBPF/io_uring Rootkits and VoidLink Malware Targeting Containers
Security research highlighted a continued shift in attacker tradecraft toward Linux cloud and container environments, with stealth-focused malware increasingly abusing modern kernel capabilities. Elastic Security Labs documented the evolution of Linux rootkits from userland hijacking and LKM implants to newer generations that leverage eBPF and io_uring for stealth and evasion, citing examples including TripleCross, Boopkit, and RingReaper. Separately, reporting on VoidLink described a cloud-native malware framework designed to operate inside Linux workloads, detect whether it is running in major cloud providers and in Docker/Kubernetes, and adapt its behavior to remain persistent while harvesting sensitive material such as cloud metadata and credentials.
Operationally, the same kernel features and observability gaps being leveraged by attackers are also driving defensive tooling improvements. Trail of Bits released mquire, an open-source Linux memory forensics tool intended to reduce dependency on external debug symbols by extracting structure and symbol information directly from memory using BPF Type Format (BTF) and Kallsyms (e.g., /proc/kallsyms-style data), then exposing findings through an interactive SQL query interface. While mquire is not tied to a single named campaign, it is directly relevant to investigating advanced Linux threats (including kernel-level implants and stealthy cloud malware) by enabling more reliable post-compromise analysis of Linux memory dumps across kernel versions.
Sources
Related Stories
Check Point Uncovers VoidLink Modular Linux Malware Targeting Cloud and Container Environments
Check Point Research reported a newly identified, highly modular Linux malware framework dubbed **VoidLink**, designed for long-term, stealthy control of Linux servers and containerized infrastructure. The framework is described as “cloud-first,” with a professional operator ecosystem that includes a web-based management dashboard and a custom plugin architecture (reported as inspired by Cobalt Strike’s BOF model) that allows capabilities to be added or removed as campaign objectives change. Reporting indicates VoidLink ships with **30+ modules/plugins** spanning reconnaissance, credential theft, privilege escalation, lateral movement, and anti-forensics (including log wiping), and it can adapt its behavior based on the environment to reduce detection risk. VoidLink is positioned as a direct threat to enterprise cloud workloads, with functionality to identify whether an infected host is running in major public cloud providers by querying instance metadata via provider APIs (including **AWS, Azure, GCP, Alibaba Cloud, and Tencent Cloud**, with indications of planned expansion to additional providers). Both accounts emphasize that the breadth and engineering quality are atypical for Linux malware and align more with “professional” threat actor tradecraft, reflecting increased attacker focus on **Linux servers, Kubernetes clusters, and Docker/containerized environments** that underpin modern enterprise deployments.
2 months ago
Research Highlights Malware and Post-Compromise Abuse Targeting Linux Network and Server Infrastructure
Security researchers reported several distinct but related findings showing how attackers are abusing **Linux-based infrastructure** for botnets, cryptomining, and post-compromise operations. Eclypsium identified a new **CondiBot** variant labeled `QTXBOT` and a previously undocumented **Monaco** cryptominer targeting network devices and exposed SSH services, with Monaco using brute-force access and exfiltrating stolen credentials to a command-and-control server hosted on Alibaba Cloud Singapore. Separately, Hunt.io exposed an Iranian-operated relay and botnet environment through an open directory, revealing a **15-node** tunnel network, SSH-based mass deployment tooling, on-host compilation of DDoS malware, and active command-and-control infrastructure. Flare also documented how threat actors repeatedly use the legitimate open-source script **Bench.sh** after initial access to profile compromised systems, including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP-based environments, in order to assess CPU, memory, disk, and bandwidth for follow-on abuse such as cryptomining, proxying, or DDoS. The reporting does **not** describe a single shared intrusion campaign: the CondiBot/Monaco discovery, the Iranian botnet infrastructure exposure, and Bench.sh abuse are separate research items connected by the broader theme of attackers operationalizing compromised Linux and network infrastructure. A separate report on **FancyBear/APT28** email theft and a general weekly security recap are different topics and should be excluded.
TodayLinkPro eBPF Rootkit Deployment in AWS and Linux Environments
A sophisticated cyberattack targeted AWS-hosted infrastructure, specifically exploiting a vulnerable Jenkins server to gain initial access. The attackers leveraged CVE-2024-238976 to move laterally into AWS Elastic Kubernetes Service (EKS) clusters, where they deployed a malicious Docker image named kvlnt/vv. This image contained a Rust-based downloader, vGet, which was used to retrieve an encrypted vShell backdoor payload from an Amazon S3 bucket. The threat actors achieved persistence and escalated privileges by exploiting container escape vulnerabilities, particularly through host filesystem mounts. Once inside the environment, the attackers installed the LinkPro rootkit, a Golang-based malware designed for GNU/Linux systems. LinkPro embeds four ELF binaries, including two eBPF modules called 'Hide' and 'Knock', a shared library (libld.so), and an unused kernel module (arp_diag.ko). The Hide module uses tracepoint and kretprobe hooks on getdents and sys_bpf to conceal files, processes, and its own BPF maps, effectively evading detection by tools such as bpftool. The Knock module listens for specially crafted TCP 'magic packets' (SYN packets with a window size of 54321) to activate its command and control (C2) listener, redirecting traffic to a hidden port (2233) and bypassing firewalls and log monitoring. If eBPF is unavailable due to kernel restrictions, LinkPro falls back to using the LD_PRELOAD technique, installing a malicious shared library to hook libc functions and hide its presence in user space. Persistence is further maintained by masquerading as systemd-resolved, creating deceptive files and unit configurations to blend in with legitimate system processes. Once operational, LinkPro provides attackers with full remote shell access, file manipulation capabilities, SOCKS5 proxy tunneling, and DNS/HTTP-based C2 communications. The infection chain demonstrates advanced techniques for both initial compromise and stealthy long-term access, including the use of encrypted payloads, container escape, and kernel-level rootkit functionality. The campaign highlights the growing abuse of eBPF technology by threat actors to evade traditional security controls and maintain covert access to cloud and Linux environments. Indicators of compromise and YARA rules have been published to aid in detection and response. The incident underscores the importance of securing CI/CD pipelines, monitoring for unusual container activity, and hardening Linux kernel configurations against eBPF abuse. No definitive attribution has been made regarding the threat actors behind this campaign. The attack serves as a warning for organizations leveraging cloud-native technologies and underscores the need for robust monitoring and incident response capabilities.
5 months ago